<?xml version="1.0" encoding="ISO-8859-1"?>

<!--
  ~ Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
  ~
  ~  WSO2 Inc. licenses this file to you under the Apache License,
  ~  Version 2.0 (the "License"); you may not use this file except
  ~  in compliance with the License.
  ~  You may obtain a copy of the License at
  ~
  ~  http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~  Unless required by applicable law or agreed to in writing,
  ~  software distributed under the License is distributed on an
  ~  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  ~  KIND, either express or implied.  See the License for the
  ~  specific language governing permissions and limitations
  ~  under the License.
-->

<ApplicationAuthentication xmlns="http://wso2.org/projects/carbon/application-authentication.xml"
                           xmlns:svns="http://org.wso2.securevault/configuration">

    <!--
        ProxyMode allows framework to operate in either 'smart' mode
        or 'dumb' mode.
        smart = both local and federated authentication is supported
        dumb = only federated authentication is supported
    -->
    <ProxyMode>{{authentication.proxy_mode}}</ProxyMode>

    <!--
        AuthenticationEndpointURL is location of the web app containing
        the authentication related pages
    -->
    <AuthenticationEndpointURL>{{authentication.endpoints.login_url}}</AuthenticationEndpointURL>
    <AuthenticationEndpointRetryURL>{{authentication.endpoints.retry_url}}</AuthenticationEndpointRetryURL>
    <AuthenticationEndpointMissingClaimsURL>{{authentication.endpoints.request_missing_claims_url}}</AuthenticationEndpointMissingClaimsURL>
    {% if authentication.endpoints.wait_url is defined %}
    <AuthenticationEndpointWaitURL>{{authentication.endpoints.wait_url}}</AuthenticationEndpointWaitURL>
    {% endif %}
    {% if authentication.endpoints.prompt_url is defined %}
    <AuthenticationEndpointPromptURL>{{authentication.endpoints.prompt_url}}</AuthenticationEndpointPromptURL>
    {% endif %}
    {% if authentication.identifier.first.endpoint.confirmation_url is defined %}
    <IdentifierFirstConfirmationURL>{{authentication.identifier.first.endpoint.confirmation_url}}</IdentifierFirstConfirmationURL>
    {% endif %}

    <!--
        Extensions allow extending the default behaviour of the authentication
        process.
    -->
    <Extensions>
        <RequestCoordinator>{{authentication.framework.extensions.request_coordinator}}</RequestCoordinator>
        <AuthenticationRequestHandler>{{authentication.framework.extensions.authentication_request_handler}}</AuthenticationRequestHandler>
        <LogoutRequestHandler>{{authentication.framework.extensions.logout_request_handler}}</LogoutRequestHandler>
        <StepBasedSequenceHandler>{{authentication.framework.extensions.step_based_sequence_handler}}</StepBasedSequenceHandler>
        <RequestPathBasedSequenceHandler>{{authentication.framework.extensions.request_path_sequence_handler}}</RequestPathBasedSequenceHandler>
        <StepHandler>{{authentication.framework.extensions.step_handler}}</StepHandler>
        <HomeRealmDiscoverer>{{authentication.framework.extensions.home_realm_discoverer}}</HomeRealmDiscoverer>
        <ClaimHandler>{{authentication.framework.extensions.claim_handler}}</ClaimHandler>
        <ProvisioningHandler>{{authentication.framework.extensions.provisioning_handler}}</ProvisioningHandler>
        {% if authentication.framework.extensions.callback_factory is defined %}
        <CallbackFactory>{{authentication.framework.extensions.callback_factory}}</CallbackFactory>
        {% endif %}
    </Extensions>

    <!--
        AuthenticatorNameMappings allow specifying an authenticator
        against a pre-defined alias (which will be used by other components.
        E.g. Application Mgt component). This enables the usage of a custom
        authenticator in place of an authenticator that gets packed with the
        distribution.
    -->
    <AuthenticatorNameMappings>
        <AuthenticatorNameMapping name="BasicAuthenticator" alias="basic"/>
        <AuthenticatorNameMapping name="OAuthRequestPathAuthenticator" alias="oauth-bearer"/>
        <AuthenticatorNameMapping name="BasicAuthRequestPathAuthenticator" alias="basic-auth"/>
        <AuthenticatorNameMapping name="IWAAuthenticator" alias="iwa"/>
        <AuthenticatorNameMapping name="SAMLSSOAuthenticator" alias="samlsso"/>
        <AuthenticatorNameMapping name="OpenIDConnectAuthenticator" alias="openidconnect"/>
        <AuthenticatorNameMapping name="PassiveSTSAuthenticator" alias="passive-sts"/>
        {% for authenticator in authentication.custom_authenticator %}
        {% if authenticator.alias is defined %}
        <AuthenticatorNameMapping name="{{authenticator.name}}" alias="{{authenticator.alias}}"/>
        {% endif %}
        {% endfor %}
    </AuthenticatorNameMappings>

    <!--
        AuthenticatorConfigs allow specifying various configurations needed
        by the authenticators by using any number of \'Parameter\' elements
        E.g.
        <AuthenticatorConfig name="CustomAuthenticator" enabled="true" />
            <Parameter name="paramName1">paramValue</Parameter>
            <Parameter name="paramName2">paramValue</Parameter>
        </AuthenticatorConfig>
    -->
    <AuthenticatorConfigs>
        {% for name,authenticator in authentication.authenticator.items() %}
        <AuthenticatorConfig name="{{authenticator.name}}" enabled="{{authenticator.enable}}">
            {% for parameter,value in authenticator.parameters.items() %}
            <Parameter name="{{parameter}}">{{value}}</Parameter>
            {% endfor %}
        </AuthenticatorConfig>
        {% endfor %}
        {% for authenticator in authentication.custom_authenticator %}
        <AuthenticatorConfig name="{{authenticator.name}}" enabled="true">
            {% for parameter,value in authenticator.parameters.items() %}
            <Parameter name="{{parameter}}">{{value}}</Parameter>
            {% endfor %}
        </AuthenticatorConfig>
        {% endfor %}
    </AuthenticatorConfigs>

    <!--
        Sequences allow specifying authentication flows for different
        registered applications. \'default\' sequence is taken if an
        application specific sequence doesn't exist in this file or
        in the Application Mgt module.
    -->
    <!-- Note: This doesn't seem to be used anymore, hence skipping the templating -->
    <Sequences>
        <!-- Default Sequence. This is mandatory -->
        <Sequence appId="default">
            <Step order="1">
                <Authenticator name="BasicAuthenticator"/>
            </Step>
        </Sequence>
    </Sequences>

    <!--
        AuthenticationEndpointQueryParams are the request parameters
        that would be sent to the AuthenticationEndpoint.
        'action' defines the behaviour: if 'include', only the defined
        parameters would be included in the request.
        If 'exclude' specified, all the parameters received by the
        Authentication Framework would be sent in the request except
        the ones specified.
        'sessionDataKey', 'type', 'relyingParty', 'sp' and 'authenticators'
        parameters will be always sent. They should not be specified here.
    -->
    <AuthenticationEndpointQueryParams action="{{authentication.endpoint.query_params.filter_policy}}">
        {% for parameter in authentication.endpoint.query_params.filter_parameters %}
        <AuthenticationEndpointQueryParam name="{{parameter}}"/>
        {% endfor %}
    </AuthenticationEndpointQueryParams>

    <!--
        Similar to the 'AuthenticationEndpointQueryParams' above, the following section defines the parameters that
        should be included/excluded in the redirection responses from authentication framework. These parameters may be
        generated internally from the framework, handlers or authenticators. The filtered parameters will be available
        via the REST API for authentication framework. "removeOnConsumeFromAPI" defines whether to make the filtered
        parameters unavailable from the API on the first consumption.
    -->
    {% if authentication.endpoint.redirect_params.filter_policy is defined %}
    <AuthenticationEndpointRedirectParams
            action="{{authentication.endpoint.redirect_params.filter_policy}}"
            removeOnConsumeFromAPI="{{authentication.endpoint.redirect_params.remove_on_consume_from_api}}">
        {% for parameter in authentication.endpoint.redirect_params.parameters %}
        <AuthenticationEndpointRedirectParam name="{{parameter}}"/>
        {% endfor %}
    </AuthenticationEndpointRedirectParams>
    {% endif %}

    {% if authentication.endpoint.consent_page_redirect_params.allow is defined %}
    <AllowConsentPageRedirectParams>{{authentication.endpoint.consent_page_redirect_params.allow}}</AllowConsentPageRedirectParams>
    {% endif %}

    {% if authentication.endpoint.enable_custom_claim_mappings is defined %}
    <AllowCustomClaimMappingsForAuthenticators>{{authentication.endpoint.enable_custom_claim_mappings}}</AllowCustomClaimMappingsForAuthenticators>
    {% endif %}

    {% if authentication.endpoint.enable_merging_custom_claim_mappings_with_default is defined %}
    <AllowMergingCustomClaimMappingsWithDefaultClaimMappings>{{authentication.endpoint.enable_merging_custom_claim_mappings_with_default}}</AllowMergingCustomClaimMappingsWithDefaultClaimMappings>
    {% endif %}

    {% if tenant.domain_drop_down.enable is defined %}
    <TenantDomainDropDownEnabled>{{tenant.domain_drop_down.enable}}</TenantDomainDropDownEnabled>
    {% endif %}
    {% if tenant.data_listener_urls is defined %}
    <TenantDataListenerURLs>
        {% for listener in tenant.data_listener_urls %}
        <TenantDataListenerURL>
            {{listener}}
        </TenantDataListenerURL>
        {% endfor %}
    </TenantDataListenerURLs>
    {% endif %}

</ApplicationAuthentication>
